Bucket Policies and Object Policies
Bucket Owner and Object Owner
The owner of a bucket is the account that created the bucket. If the bucket is created by an IAM user under the account, the bucket owner is the account instead of the IAM user.
The owner of an object is the account that uploads the object, who may not be the owner of the bucket to which the object belongs. For example, account B is granted the permission to access a bucket of account A, and account B uploads a file to the bucket. In that case, instead of the bucket owner account A, account B is the owner of the object.
Bucket Policies
A bucket policy is attached to a bucket and objects in the bucket. By leveraging bucket policies, the owner of a bucket can grant IAM users or other accounts the permissions to operate the bucket and objects in the bucket.
Creating buckets and obtaining the bucket list are service level operations that should be configured by granting IAM permissions.
Application Scenarios
- If no permisos de IAM are used for access control and you want to grant other accounts the permissions to access your OBS resources, you can use bucket policies.
- You can configure bucket policies to grant IAM users different access permissions on buckets.
- You can also use bucket policies to grant other accounts the permissions to access your buckets.
Bucket Policy Templates
OBS Console provides bucket policy templates for six typical scenarios. You can use the templates to quickly configure bucket policies.
When using a template to create a bucket policy, you need to specify principals (authorized users) and resources, or you can modify the template settings, including principal, resources, actions, and conditions.
|
Template Name |
Principal |
Resource |
Template Action |
|---|---|---|---|
|
Bucket read-only |
To be specified |
The bucket and all objects in the bucket |
Allows specified users to perform the following actions on the current bucket and all objects in it: Get* (all GET actions) List* (all LIST actions) HeadBucket (to check whether the bucket exists) |
|
Bucket read and write |
To be specified |
The bucket and all objects in the bucket |
Allows specified users to perform all actions excluding the following ones on the current bucket and all objects in it: DeleteBucket (to delete the bucket) PutBucketPolicy (to configure a bucket policy) PutBucketAcl (to configure the bucket ACL) |
|
Directory read-only |
To be specified |
To be specified (You need to specify an object name prefix.) |
Allows specified users to perform the following actions on the current bucket and specified objects in it: ListBucket (to list objects in the bucket and obtain the bucket metadata) HeadBucket (to check whether the bucket exists) GetBucketLocation (to get the bucket location) ListBucketVersions (to list object versions in the bucket) GetObject (to obtain object content and metadata) RestoreObject (to restore objects from Archive storage) GetObjectAcl (to obtain the object ACL) GetObjectVersion (to obtain the content and metadata of a specified object version) GetObjectVersionAcl (to obtain the ACL of a specified object version) |
|
Directory read and write |
To be specified |
To be specified (You need to specify an object name prefix.) |
Allows specified users to perform the following actions on the current bucket and specified objects in it: ListBucket (to list objects in the bucket and obtain the bucket metadata) HeadBucket (to check whether the bucket exists) GetBucketLocation (to get the bucket location) ListBucketVersions (to list object versions in the bucket) ListBucketMultipartUploads (to list multipart uploads) GetObject (to obtain object content and metadata) PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts) RestoreObject (to restore objects from Archive storage) GetObjectAcl (to obtain the object ACL) PutObjectAcl (to configure the object ACL) GetObjectVersion (to obtain the content and metadata of a specified object version) GetObjectVersionAcl (to obtain the ACL of a specified object version) AbortMultipartUpload (to abort multipart uploads) ListMultipartUploadParts (to list uploaded parts) ModifyObjectMetaData (to modify object metadata) |
|
Public read |
Anonymous user (all Internet users) |
The bucket and all objects in the bucket |
Allows anonymous users to perform the following actions on the current bucket and all objects in it: HeadBucket (to check whether the bucket exists) GetBucketLocation (to get the bucket location) ListBucketVersions (to list object versions in the bucket) GetObject (to obtain object content and metadata) RestoreObject (to restore objects from Archive storage) GetObjectVersion (to obtain the content and metadata of a specified object version) |
|
Public read and write |
Anonymous user (all Internet users) |
The bucket and all objects in the bucket |
Allows anonymous users to perform the following actions on the current bucket and all objects in it: ListBucket (to list objects in the bucket and obtain the bucket metadata) HeadBucket (to check whether the bucket exists) GetBucketLocation (to get the bucket location) ListBucketVersions (to list object versions in the bucket) ListBucketMultipartUploads (to list multipart uploads) GetObject (to obtain object content and metadata) PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts) RestoreObject (to restore objects from Archive storage) GetObjectAcl (to obtain the object ACL) PutObjectAcl (to configure the object ACL) GetObjectVersion (to obtain the content and metadata of a specified object version) GetObjectVersionAcl (to obtain the ACL of a specified object version) AbortMultipartUpload (to abort multipart uploads) ListMultipartUploadParts (to list uploaded parts) ModifyObjectMetaData (to modify object metadata) |
Custom Bucket Policies
You can also customize bucket policies based on your needs. A custom bucket policy consists of five basic elements: effect, principals, resources, actions, and conditions. For details, see Bucket Policy Parameters.
Object Policies
Object policies apply to objects in a bucket. A bucket policy is applicable to a set of objects (with the same object name prefix) or to all objects (specified by an asterisk *) in the bucket. To configure an object policy, select an object, and then configure the policy directly for the object.
Object Policy Templates
OBS Console provides object policy templates for four typical scenarios. You can use the templates to quickly configure object policies.
When using a template to create an object policy, you need to specify principals (authorized users), or you can modify the template settings, including the principal, actions, and conditions. The resource is the object for which the policy needs to be configured. This resource is automatically specified by the system and does not need to be modified.
|
Template Name |
Principal |
Resource |
Template Action |
|---|---|---|---|
|
Read-only |
To be specified |
The selected object, which is automatically specified by the system and does not need to be modified. |
Allows specified users to perform the following actions on the current object: GetObject (to obtain object content and metadata) GetObjectVersion (to obtain the content and metadata of a specified object version) GetObjectVersionAcl (to obtain the ACL of a specified object version) GetObjectAcl (to obtain the object ACL) RestoreObject (to restore objects from Archive storage) |
|
Read and write |
To be specified |
The selected object, which is automatically specified by the system and does not need to be modified. |
Allows specified users to perform the following actions on the current object: PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts) GetObject (to obtain object content and metadata) GetObjectVersion (to obtain the content and metadata of a specified object version) ModifyObjectMetaData (to modify object metadata) ListMultipartUploadParts (to list uploaded parts) AbortMultipartUpload (to abort multipart uploads) GetObjectVersionAcl (to obtain the ACL of a specified object version) GetObjectAcl (to obtain the object ACL) PutObjectAcl (to configure the object ACL) RestoreObject (to restore objects from Archive storage) |
|
Public read |
Anonymous user (all Internet users) |
The selected object, which is automatically specified by the system and does not need to be modified. |
Allows anonymous users to perform the following actions on the current object: GetObject (to obtain object content and metadata) RestoreObject (to restore objects from Archive storage) GetObjectVersion (to obtain the content and metadata of a specified object version) |
|
Public Read and Write |
Anonymous user (all Internet users) |
The selected object, which is automatically specified by the system and does not need to be modified. |
Allows anonymous users to perform the following actions on the current object: PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts) GetObject (to obtain object content and metadata) ModifyObjectMetaData (to modify object metadata) ListMultipartUploadParts (to list uploaded parts) AbortMultipartUpload (to abort multipart uploads) RestoreObject (to restore objects from Archive storage) GetObjectVersion (to obtain the content and metadata of a specified object version) PutObjectAcl (to configure the object ACL) GetObjectVersionAcl (to obtain the ACL of a specified object version) GetObjectAcl (to obtain the object ACL) |
Custom Object Policies
You can also customize an object policy based on your service requirements. A custom object policy consists of five basic elements: effect, principal, resources, actions, and conditions, similar to a bucket policy. For details, see Bucket Policy Parameters. The resource is the selected object and is automatically configured by the system.
